As RichM reaches out to the community, so should you reach out to RichM. This column lives and breathes with feedback from all of you. Let him know what you think of his column as well as what you'd like for him to cover. He's an admin just like most of you. If you feel he is forgetting something important in his new job, let him know.

Incident handling is a specialized field which is done best after proper training, guidance and experience. However, if you follow the six core steps to incident handling, you will have a better chance of recovering favorably from an unforeseen incident. The example below is an actual incident I experienced recently. I have outlined the steps taken as they pertain to the six steps of Incident Handling.

I offer up this outline not as an example of the perfect Incident Handling Process but rather as a good faith gesture to the community. There is a Latin Proverb that states, "A wise man learns by the mistakes of others, a fool by his own." I believe a wise man also learns from the experiences of others. Hopefully this month's column puts both of us on a path towards wisdom.

You mentioned what exploit was used(RealVNC), but what specifically was wkkvhrji.exe? Was that a trojan copied to the machine? Did any AV detect that as something?

Just from experience, Stinger is typically worthless for anything new. Its very good at detecting stuff 3 or 4 months and older. A strategy I tend to use for malware not detected by our AV, is to submit it to virustotal. If at least one AV vendor detects it, then typically you can read their notes on it or run their online scanner. NormanSandbox and Anubis are also very useful in profiling the malware if you don't have your own sandbox. They often tell you exactly where in the registry changes were made and what type of network traffic the malware generates. Usually if one machine has it, someone else on your network does to. In regards to rootkit detectors, over the last year I've become increasingly frustrated with all the popular ones. Rootkit authors are building effective defenses to them. You might get lucky with some of the tools so its worth your time to try several of them, but for the most part you end up having to use a kernel debugger or verifying the md5 hashes with your own image set or with a tool like Rutkowsla's SVV. RK's are getting so stealthy and so difficult to remove, that you basically have to gamble on waiting for a proper DAT to remove it. If you can't clean it, its sometimes more viable to just nuke and pave the machine.

You are absolutely correct, I am always open to feedback and any ideas that can help shape my column. I really enjoy doing my articles, and am very thankful to you and the EH community for your continued support. Please feel free to let me know of any ideas or issues you would like to see addressed, in future columns. As Don has already stated, I am an admin and I may have missed crucial topics which would benefit all of us.

oleDB,

I didn't use the actual name of the exploit, (just in case the attacker reads our site) but as far as I could tell, it was some type of trojan, possibly a key logger. My best guess is that the attacker was attempting to use the machine as a jumping off point, but never quite figured out what to do; once he/she had access. The scanner(s) didn't detect anything which forced me to use google and figure out what exactly was taking place.

It is good to know that Stinger is worthless, I always use it as secondary scanner, maybe its time I move to something else like housecall, http://housecall.trendmicro.com/ I guess since it's freeware, we can't really expect top notch performance; and like you said they should catch a piece of malware that has been around 3-4 mos. Lets face it, most patches are issued and not applied for months on end, then attackers take advantage of the pre-existing flaw.

I have started to get into sandboxing, and like the idea of running a process in an area that keeps a process from causing havoc on a machine. I will need to look into these two products, ( NormanSandbox and Anubis) since I am only familiar with Sandboxie, http://www.sandboxie.com/ which honestly I am less than thrilled with.

I know blowing away the machine is the safest way, but it is also time consuming and a huge pain. I (and everyone else) am hoping for an anti-rookit that updates like anti-virus and stays one step ahead of malware programmers.

Thank you for giving me more apps to look into, and helping me to refine my approach to an incident. It is vital to stay on the cutting edge of the best tools which help to combat attackers tactics.

Last edited by linuxstarved on Sun May 20, 2007 11:42 am, edited 1 time in total.